Users can indefinitely claim tokens even after the vesting period has ended.
The function claim
in VestedAirdrop.vy
does not check whether block.timestamp
has exceeded self.vesting_end_time
.
As a result, users can continue claiming tokens forever, even after the intended vesting period.
This can drain the protocol’s treasury, leaving it with no control over token distribution
The function only ensures the vesting period has started, but never checks if it has ended.
Users can call claim()
even after the vesting period is over and continue draining tokens.
Since _calculate_vested_amount(total_amount)
will always return total_amount after vesting ends, users can keep claiming the same amount repeatedly.
Loss of funds due to perpetual claims after vesting should have ended.
The protocol loses all allocated tokens over time due to never-ending claims.
manual review
Add a check to prevent claims after vesting ends.
assert block.timestamp <= self.vesting_end_time, "Vesting period ended"
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.